病毒樣本分析
如何製作TLS PE檔案
參考資訊:
1. tls-callback
2. about-tls-callback-in-windows
TLS(Thread-local storage)的callback是一個比較特別的EntryPoint,此EntryPoint執行的時間,會比main()來得更早,也就是當使者執行PE檔案時,TLS EntryPoint會先被跑起來,接著才是main(),因此,是很多早期病毒使用的技巧之一,司徒今天使用一個簡單範例,說明如何製作這樣的執行檔案
main.cpp
#include "stdafx.h"
#include <windows.h>
#pragma comment(linker, "/INCLUDE:__tls_used")
void NTAPI tls(PVOID module, DWORD reason, PVOID reserved)
{
switch(reason){
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Run from TLS (DLL_PROCESS_ATTACH)", "Info", MB_OK);
break;
case DLL_THREAD_ATTACH:
MessageBox(NULL, "Run from TLS (DLL_THREAD_ATTACH)", "Info", MB_OK);
break;
case DLL_THREAD_DETACH:
MessageBox(NULL, "Run from TLS (DLL_THREAD_DETACH)", "Info", MB_OK);
break;
case DLL_PROCESS_DETACH:
MessageBox(NULL, "Run from TLS (DLL_PROCESS_DETACH)", "Info", MB_OK);
break;
}
}
#pragma data_seg(".CRT$XLB")
PIMAGE_TLS_CALLBACK p_thread_callback_base = tls;
#pragma data_seg()
int main(int argc, char** argv)
{
MessageBox(NULL, "Run from Main", "Info", MB_OK);
return 0;
}
P.S. 使用VisualStudio編譯
完成
TLS EntryPoint
